Common Vulnerability Scoring System (CVSS)
Common Vulnerability Scoring System (CVSS) is a risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
- is an industry-standard method for assessing the severity of software vulnerabilities
- open standard based on severity
- provides an objective measure of the risk posed by a given vulnerability
- enables IT teams to prioritize remediation efforts and allocate resources more effectively
- maintained by The Forum of Incident Response and Security Teams (FIRST)
Scoring
- score is based on a wide range of factors
- e.g., type of vulnerability, affected system, potential impact on the system
- based on the concept of risk
- likelihood of a vulnerability being exploited on a particular system + the potential impact
- generates a score from 0-10
- based on characteristics of vulnerability
- scores are banded into descriptions:
| Score | Description |
|---|---|
| 0 | None |
| 0.1+ | Low |
| 4.0+ | Medium |
| 7.0+ | High |
| 9.0+ | Critical |
Score Calculation
- Identify the threat agent
- common threat agents used in CVSS scoring metrics:
- unauthenticated, authenticated, and remote unauthenticated users
- common threat agents used in CVSS scoring metrics:
- Identify the affected system
- identifying the product name and the type of system involved
- Assign a score based on impact
- Scoring metrics include confidentiality, integrity, availability, and accountability
- Identify the probability of the threat agent accessing the system
- includes evaluating the system’s environment and the threat agent’s abilities
- Calculate the overall CVSS score
- formula used will vary depending on the scoring metrics identified in previous steps
CVSS Calculators
NIST provides some CVSS calculators:
- Version 3: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
- Version 4: https://www.first.org/cvss/calculator/4.0
FIRST Calculator:
- Version 3.0: https://www.first.org/cvss/calculator/3.0
Cisco Calculator:
CVSS Metrics
Interpreting CVSS Vector Strings
A CVSS vector string is a piece of additional information provided alongside a CVSS score to provide more context around the scoring metrics used to calculate the overall CVSS score.
- broken into fields that include the:
- vulnerability identifier
- contains the identifier used to calculate the overall CVSS score
- impact
- provides the overall impact score to the affected system due to the exploitation of the vulnerability
- environmental concerns
- indicates the risk associated with the vulnerability in the target host environment
- additional info
- provides details about the vulnerability, such as the vendor name, the impact type, and more
- vulnerability identifier
Example
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CVSS version: 3.0
- Attack vector: Network
- Attack complexity: Low
- Privileges required: None
- User interaction: None
- Scope: Unchanged
- Confidentiality: High
- Integrity: None
- Availability: None
Can use the NIST CVSS calculator to get the final score.
CVSS v4.0
- released Nov. 2023
- provides greater granularity tot he characteristics and severity of software vulnerabilities
- notable changes:
- addition of the new Base Metric Attack Requirements (AT)
- describes the prerequisite conditions that enable an attack
- Scope (S), Confidentiality (C), Integrity (I), and Availability (A) are replaced with:
- Vulnerable System Confidentiality (VC)
- Vulnerable System Integrity (VI)
- Vulnerable System Availability (VA)
- Subsequent System Confidentiality (SC)
- Subsequent System Integrity (SI)
- Subsequent System Availability (SA)
- Added new Threat, Environmental, and Supplemental groups
- to provide better context to score
- addition of the new Base Metric Attack Requirements (AT)